Phone : +91 95 8290 7788 | Email : sales@itmonteur.net

Register & Request Quote | Submit Support Ticket

Home » Cyber Security News » Vulnerabilities & Exploits » New RAMBO Attack Uses RAM Radio Signals to Steal Data from Air-Gapped Networks

New RAMBO Attack Uses RAM Radio Signals to Steal Data from Air-Gapped Networks

New RAMBO Attack Uses RAM Radio Signals to Steal Data from Air-Gapped Networks

https://firewall.firm.in/wp-content/uploads/2024/09/airgap.png

Sep 09, 2024Ravie LakshmananVulnerability / Hardware Security

Air-Gapped Networks

A novel side-channel attack has been found to leverage radio signals emanated by a device’s random access memory (RAM) as a data exfiltration mechanism, posing a threat to air-gapped networks.

The technique has been codenamed RAMBO by Dr. Mordechai Guri, the head of the Offensive Cyber Research Lab in the Department of Software and Information Systems Engineering at the Ben Gurion University of the Negev in Israel.

“Using software-generated radio signals, malware can encode sensitive information such as files, images, keylogging, biometric information, and encryption keys,” Dr. Guri said in a newly published research paper.

“With software-defined radio (SDR) hardware, and a simple off-the-shelf antenna, an attacker can intercept transmitted raw radio signals from a distance. The signals can then be decoded and translated back into binary information.”

Cybersecurity

Over the years, Dr. Guri has concocted various mechanisms to extract confidential data from offline networks by taking advantage of Serial ATA cables (SATAn), MEMS gyroscope (GAIROSCOPE), LEDs on network interface cards (ETHERLED), and dynamic power consumption (COVID-bit).

Some of the other unconventional approaches devised by the researcher entail leaking data from air-gapped networks via covert acoustic signals generated by graphics processing unit (GPU) fans (GPU-FAN), (ultra)sonic waves produced by built-in motherboard buzzers (EL-GRILLO), and even printer display panels and status LEDs (PrinterLeak).

Last year, Guri also demonstrated AirKeyLogger, a hardwareless radio frequency keylogging attack that weaponizes radio emissions from a computer’s power supply to exfiltrate real-time keystroke data to a remote attacker.

“To leak confidential data, the processor’s working frequencies are manipulated to generate a pattern of electromagnetic emissions from the power unit modulated by keystrokes,” Guri noted in the study. “The keystroke information can be received at distances of several meters away via an RF receiver or a smartphone with a simple antenna.”

As always with attacks of this kind, it requires the air-gapped network to be first compromised through other means – such as a rogue insider, poisoned USB drives, or a supply chain attack – thereby allowing the malware to trigger the covert data exfiltration channel.

RAMBO is no exception in that the malware is used to manipulate RAM such that it can generate radio signals at clock frequencies, which are then encoded using Manchester encoding and transmitted so as to be received from a distance away.

The encoded data can include keystrokes, documents, and biometric information. An attacker on the other end can then leverage SDR to receive the electromagnetic signals, demodulate and decode the data, and retrieve the exfiltrated information.

Cybersecurity

“The malware utilizes electromagnetic emissions from the RAM to modulate the information and transmit it outward,” Dr. Guri said. “A remote attacker with a radio receiver and antenna can receive the information, demodulate it, and decode it into its original binary or textual representation.”

The technique could be used to leak data from air-gapped computers running Intel i7 3.6GHz CPUs and 16 GB RAM at 1,000 bits per second, the research found, with keystrokes being exfiltrated in real-time with 16 bits per key.

“A 4096-bit RSA encryption key can be exfiltrated at 41.96 sec at a low speed and 4.096 bits at a high speed,” Dr. Guri said. “Biometric information, small files (.jpg), and small documents (.txt and .docx) require 400 seconds at the low speed to a few seconds at the fast speeds.”

“This indicates that the RAMBO covert channel can be used to leak relatively brief information over a short period.”

Countermeasures to block the attack include enforcing “red-black” zone restrictions for information transfer, using an intrusion detection system (IDS), monitoring hypervisor-level memory access, using radio jammers to block wireless communications, and using a Faraday cage.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.


Information Security - InfoSec - Cyber Security - Firewall Providers Company in India

 

 

 

 

 

 

 

 

 

 

 

 

What is Firewall? A Firewall is a network security device that monitors and filters incoming and outgoing network traffic based on an organization's previously established security policies. At its most basic, a firewall is essentially the barrier that sits between a private internal network and the public Internet.

 

Secure your network at the gateway against threats such as intrusions, Viruses, Spyware, Worms, Trojans, Adware, Keyloggers, Malicious Mobile Code (MMC), and other dangerous applications for total protection in a convenient, affordable subscription-based service. Modern threats like web-based malware attacks, targeted attacks, application-layer attacks, and more have had a significantly negative effect on the threat landscape. In fact, more than 80% of all new malware and intrusion attempts are exploiting weaknesses in applications, as opposed to weaknesses in networking components and services. Stateful firewalls with simple packet filtering capabilities were efficient blocking unwanted applications as most applications met the port-protocol expectations. Administrators could promptly prevent an unsafe application from being accessed by users by blocking the associated ports and protocols.

 

Firewall Firm is an IT Monteur Firewall Company provides Managed Firewall Support, Firewall providers , Firewall Security Service Provider, Network Security Services, Firewall Solutions India , New Delhi - India's capital territory , Mumbai - Bombay , Kolkata - Calcutta , Chennai - Madras , Bangaluru - Bangalore , Bhubaneswar, Ahmedabad, Hyderabad, Pune, Surat, Jaipur, Firewall Service Providers in India

Sales Number : +91 95 8290 7788 | Support Number : +91 94 8585 7788
Sales Email : sales@itmonteur.net | Support Email : support@itmonteur.net

Register & Request Quote | Submit Support Ticket